IAM Members and Policies
Introduction to IAM members and policies.
We'll cover the following
Apart from roles and permissions, other IAM components are IAM members and policies.
You have seen the “can do what” part of the IAM definition; this lesson will focus on “who” and “how.”
IAM members#
As per Google Cloud:
“A member can be a Google Account (for end-users), a service account (for apps and virtual machines), a Google group, or a Google Workspace or Cloud Identity domain that can access a resource. The identity of a member is an email address associated with a user, service account, or Google group; or a domain name associated with Google Workspace or Cloud Identity domain.”
To simplify, let’s look at the diagram below.
Members of IAM can be:
-
Google Account: Anyone with Gmail ID can be given access to the project or specific resources.
-
Service Account: This is internal to GCP. A service account acts as an identity for the services. For example, if we want to restrict a particular virtual machine from accessing any resources, we can remove all the roles and permissions associated with the virtual machine’s service account.
-
Google Groups: Often, you might want to assign the same permissions to a set of users or a team. Google groups help to fulfill this requirement. Instead of giving individuals the same set of permissions, the admin can assign the same set of permissions to a Google group email ID. Individual users who need the same permissions can then be added or removed from the group.
-
Cloud Identity Domain: These are email IDs with organization domains, like abc@educative.io. If an organization is not using Google Workspaces, this organization’s user emails are given access to GCP using the Cloud Identity service.
-
Google Workspaces Domain: If an organization is using G-Suite to manage their organization’s email and other company-wide services, these user IDs are Google Workspaces IDs. These are automatically synced with the organization’s GCP account.
Apart from these, two predefined keywords represent a specific type of member.
-
allAuthenticatedUsers: The value “allAuthenticatedUsers” is a special identifier representing all service accounts and all users on the internet who have authenticated with a Google account. This identifier provides access to the accounts that aren’t connected to a Google Workspace or Cloud Identity domain, such as personal Gmail accounts. Users who aren’t authenticated, such as anonymous visitors, are omitted. -
allUsers: The value “allUsers” is a unique identifier representing every user on the internet, including authenticated and unauthenticated users.
So, now that you know how many types of users are in GCP let’s look at “how” to control these members’ access to services using IAM.
IAM policy#
IAM policy is created whenever a role or permission is granted to a user. The IAM policy object represents an IAM policy. An IAM policy object consists of a list of bindings, and a binding binds a list of members to a role.
Let’s look at the structure of a policy.
A binding is a list of roles and all the users who have those roles.
Usually, the GUI is used to provide permissions to users, and policy creation is handled by Google Cloud internally. However, we can also create a policy using the Google Cloud Command Line interface.
If you want to look at the internal policy structure, open the policy troubleshooter and check for user access to a particular resource.
Using policy troubleshooter#
Update: IAM & Admin menu is restructured into
Identity & Securitymenu for newer dashboard view.
- Open policy troubleshooter from the IAM & Admin menu.
- Fill in the email id of the member. Enter the email ID you have used to sign up for GCP. Select the project. Enter the permission to check. Then click the “CHECK API CALL” button.
- From the output, you can ensure that the permissions are validated against the roles, and the list of users having those roles is also listed.
{
"bindings": [
{
"role": "roles/owner",
"members": [
"user:gcpcourseeducative@gmail.com"
]
}
]
}
The output will be similar to this one.
The next step is learning how to create users and assign IAM roles using GUI in the Google Cloud Console.
IAM Roles and Permissions
IAM: Hands-On